Merck-Medco Managed Care, L.L.C.

Merck-Medco Managed Care, L.L.C.
Robert D. Marotta, Senior Vice President
Regulatory Counsel
Capitol Square, Suite 1800
65 East State Street
Columbus, OH 43215-4294
614-462-5435
Fax: 614-464-2634

October 12, 1998

Health Care Financing Administration
Department of Health and Human Services
Attention: HCFA-0049-P
P.O. Box 26585
Baltimore, MD 21207-0519

Re: Security and Electronic Signature Standards

Dear Ladies and Gentlemen:

I am submitting these comments in my capacity as Regulatory Counsel for Merck-Medco Managed Care, L.L.C. ("Merck-Medco) with respect to the proposed Rule on Security and Electronic Signature Standards (45 CFR Part 142). Merck-Medeo designs and manages prescription drug benefit plans and acts as a provider through its own mail service pharmacies on behalf of its clients, which include more than 100 of the Fortune 500 companies, public employee health and retirement benefit plans (at the federal, state and local levels), labor union groups, Blue Cross and Blue Shield organizations, major insurance carriers, and federal, state and local governments seeking to provide quality care at affordable cost in an era of dynamic change and reform. Over 51 million Americans are eligible for prescription drug benefits through the more than 1,100 plan sponsors to which Merck-Medco provides services.

General Comment:

An important feature of each plan is the confidentiality of prescriptions and patient information. Merck-Medeo has established strong and effective administrative and technical safeguards to protect the confidentiality of prescriptions and other personally identifiable patient information and to prevent unauthorized or improper access to, disclosure or use of the same. In that regard, Merck-Medco supports the creation of standards for the security of individual health information and electronic signature use by health plans, health care clearinghouses, and health care providers.

In a regulated area such as pharmacy, however, where the subject matter of the proposed Rule is presently subject to extensive legal, professional and ethical mandates, the principal focus of rulemaking should be to develop the goals and objectives which support the proposed standards, not the specific method, process or technical requirements for achieving the same. Merck-Medco believes the essence of its position is clearly set forth in the written comments of the National Counsel for Prescription Drug Programs, Inc., the Workgroup for Electronic Data Interchange, and other national organizations with a recognized expertise on the creation of standards and respectfully directs the Department to those filings for guidance on this threshold issue.

Specific Comment:

Subject to the General Comment set forth above, Merck-Medco believes that:

Introduction/Applicability
[63 Fed. Reg. 155, 43245]

Electronic signatures should not be mandated for any specific transactions at this point in time. If, however, electronic signature standards are mandated, then standards should be applied to all heath care transactions, not just transactions that come within the purview of the Health Insurance Portability and Accountability Act of 1996.

Effective Dates
[63 Fed. Reg. 155,43249]

If enacted as written, the proposed Rule would necessitate meaningful system changes and modifications. Aside from the significant cost, such an effort will require a great deal of time for implementation and training alone. Accordingly, the effective date of the proposed Rule is neither reasonable or practical.

Administrative Procedures
[63 Fed. Reg. 155, 43251]

A formal security certification process is inappropriate. In any event, the evaluation of performance against "guidelines" should be assessed internally and not by an outside party.

Although media control processes are typically part of standard operations in a data center environment, this type of systematic control, simply put, does not work in a PC environment. Enforcement would be impractical, if not impossible. Control should be maintained at the user level, supported by the development and enforcement of a robust "need to know" policy.

Certain aspects of the proposed Rule go beyond its intended scope, e.g. contingency planning." Other aspects, such as Personnel Security, 63, Fed. Reg. 155, 43252(g); Security Management Process, 63 Fed. Reg. 155, 43252(j); Termination Procedures, 63 Fed. Reg. 155, 43252(k) and Training, 63 Fed. Reg. 155, 43252(k)(1) may not be applicable or even appropriate in all circumstances and should be so qualified. And, in every instance, the scope of the proposed Rule should be limited to protecting access to confidential information from a "data security prospective" and not used as a vehicle to promulgate policies on physical security, e.g. combination locks and site security plans.

Electronic Signature Standard
[63 Fed. Reg. 155, 43255]

Digital certificates are a viable solution in the near term for the delivery of secure health care transactions over "Open Networks," i.e., the Internet as opposed to dial-up lines. It should be noted, however, that digital certificates do face a significant challenge of broad industry acceptance, especially with regard to formalizing trust relationships, industry cross certification, business policies, and operational procedures.

The proposed Rule states that "[f]ederal agencies and States may place additional requirements on their health plans." 63 Fed Reg 155, 43258. This approach must be comprehensively evaluated so as to avoid multiple versions of the security and electronic signature standards. Preemption is appropriate.

Conclusion

Merck-Medco looks forward to working with the Department of Health and Human Services to find a better way of enhancing pharmaceutical care through the creation of standards for the security of individual health information and electronic signature use by health plans, health care clearinghouses, and health care providers. If you have any questions in the interim, please do not hesitate to contact me.

Very truly yours,

Robert D. Marotta